diff --git a/htdocs/core/lib/website.lib.php b/htdocs/core/lib/website.lib.php index 49486870a13..da16b0846c5 100644 --- a/htdocs/core/lib/website.lib.php +++ b/htdocs/core/lib/website.lib.php @@ -741,15 +741,9 @@ function dolSaveIndexPage($pathofwebsite, $fileindex, $filetpl, $filewrapper) @chmod($fileindex, octdec($conf->global->MAIN_UMASK)); dol_delete_file($filewrapper); - $wrappercontent = 'mycompany->dir_output."/".$original_file));'."\n"; - $wrappercontent.= "else print 'Bad value for modulepart or file';\n"; - $wrappercontent.= 'if (is_object($db)) $db->close();'."\n"; - $wrappercontent.= '// END PHP ?>'."\n"; + + $wrappercontent=file_get_contents(DOL_DOCUMENT_ROOT.'/website/samples/wrapper.html'); + $result2 = file_put_contents($filewrapper, $wrappercontent); if (! empty($conf->global->MAIN_UMASK)) @chmod($filewrapper, octdec($conf->global->MAIN_UMASK)); diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 5913c32c71a..3606675a1c1 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -653,7 +653,7 @@ if ($action == 'addcontainer') $sample = GETPOST('sample','alpha'); if (empty($sample)) $sample='empty'; - $pathtosample = DOL_DOCUMENT_ROOT.'/website/page-sample-'.$sample.'.html'; + $pathtosample = DOL_DOCUMENT_ROOT.'/website/samples/page-sample-'.$sample.'.html'; // Init content with content into pagetemplate.html, blogposttempltate.html, ... $objectpage->content = make_substitutions(@file_get_contents($pathtosample), $substitutionarray); @@ -1956,7 +1956,7 @@ if (! GETPOST('hide_websitemenu')) print $formconfirm; } - if ($pageid > 0) + if ($pageid > 0 && $atleastonepage) // pageid can be set without pages, if homepage of site is set and all page were removed { // Confirmation to clone if ($action == 'createpagefromclone') { @@ -2034,7 +2034,7 @@ if (! GETPOST('hide_websitemenu')) print '
'; - if ($pageid > 0 && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone')) + if (($pageid > 0 && $atleastonepage) && ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone')) { $realpage=$urlwithroot.'/public/website/index.php?website='.$websitekey.'&pageref='.$websitepage->pageurl; $pagealias = $websitepage->pageurl; @@ -2749,7 +2749,7 @@ print "\n"; if ($action == 'preview' || $action == 'createfromclone' || $action == 'createpagefromclone') { - if ($pageid > 0) + if ($pageid > 0 && $atleastonepage) { // $filejs // $filecss diff --git a/htdocs/website/page-sample-corporatehome.html b/htdocs/website/samples/page-sample-corporatehome.html similarity index 100% rename from htdocs/website/page-sample-corporatehome.html rename to htdocs/website/samples/page-sample-corporatehome.html diff --git a/htdocs/website/page-sample-empty.html b/htdocs/website/samples/page-sample-empty.html similarity index 100% rename from htdocs/website/page-sample-empty.html rename to htdocs/website/samples/page-sample-empty.html diff --git a/htdocs/website/samples/wrapper.html b/htdocs/website/samples/wrapper.html new file mode 100644 index 00000000000..fb6a10b1264 --- /dev/null +++ b/htdocs/website/samples/wrapper.html @@ -0,0 +1,126 @@ +entity; +$original_file=GETPOST("file","alpha"); + +// If we have a hash public (hashp), we guess the original_file. +if (! empty($hashp)) +{ + include_once DOL_DOCUMENT_ROOT.'/ecm/class/ecmfiles.class.php'; + $ecmfile=new EcmFiles($db); + $result = $ecmfile->fetch(0, '', '', '', $hashp); + if ($result > 0) + { + $tmp = explode('/', $ecmfile->filepath, 2); // $ecmfile->filepath is relative to document directory + // filepath can be 'users/X' or 'X/propale/PR11111' + if (is_numeric($tmp[0])) // If first tmp is numeric, it is subdir of company for multicompany, we take next part. + { + $tmp = explode('/', $tmp[1], 2); + } + $moduleparttocheck = $tmp[0]; // moduleparttocheck is first part of path + + if ($modulepart) // Not required, so often not defined, for link using public hashp parameter. + { + if ($moduleparttocheck == $modulepart) + { + // We remove first level of directory + $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir + //var_dump($original_file); exit; + } + else + { + print 'Bad link. File is from another module part.'; + } + } + else + { + $modulepart = $moduleparttocheck; + $original_file = (($tmp[1]?$tmp[1].'/':'').$ecmfile->filename); // this is relative to module dir + } + } + else + { + print "ErrorFileNotFoundWithSharedLink"; + exit; + } +} + +// Define attachment (attachment=true to force choice popup 'open'/'save as') +$attachment = true; +if (preg_match('/\.(html|htm)$/i',$original_file)) $attachment = false; +if (isset($_GET["attachment"])) $attachment = GETPOST("attachment",'alpha')?true:false; +if (! empty($conf->global->MAIN_DISABLE_FORCE_SAVEAS)) $attachment=false; + +// Define mime type +$type = 'application/octet-stream'; +if (GETPOST('type','alpha')) $type=GETPOST('type','alpha'); +else $type=dol_mimetype($original_file); + +// Security: Delete string ../ into $original_file +$original_file=str_replace("../","/", $original_file); + +// Find the subdirectory name as the reference +$refname=basename(dirname($original_file)."/"); + +if ($_GET["modulepart"] == "mycompany" && preg_match('/^\/?logos\//', $original_file)) +{ + readfile(dol_osencode($conf->mycompany->dir_output."/".$original_file)); +} +else +{ + include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php'; + $check_access = dol_check_secure_access_document($modulepart, $original_file, $entity, $refname); + $accessallowed = $check_access['accessallowed']; + $sqlprotectagainstexternals = $check_access['sqlprotectagainstexternals']; + $fullpath_original_file = $check_access['original_file']; // $fullpath_original_file is now a full path name + if (! empty($_GET["hashp"])) + { + $accessallowed = 1; // When using hashp, link is public so we force $accessallowed + $sqlprotectagainstexternals = ''; + } + + // Security: + // Limit access if permissions are wrong + if (! $accessallowed) + { + print 'Access forbidden'; + exit; + } + + clearstatcache(); + + $filename = basename($fullpath_original_file); + + // Output file on browser + dol_syslog("wrapper.php download $fullpath_original_file filename=$filename content-type=$type"); + $fullpath_original_file_osencoded=dol_osencode($fullpath_original_file); // New file name encoded in OS encoding charset + + // This test if file exists should be useless. We keep it to find bug more easily + if (! file_exists($fullpath_original_file_osencoded)) + { + print "ErrorFileDoesNotExists: ".$original_file; + exit; + } + + // Permissions are ok and file found, so we return it + //top_httphead($type); + header('Content-Description: File Transfer'); + if ($encoding) header('Content-Encoding: '.$encoding); + // Add MIME Content-Disposition from RFC 2183 (inline=automatically displayed, attachment=need user action to open) + if ($attachment) header('Content-Disposition: attachment; filename="'.$filename.'"'); + else header('Content-Disposition: inline; filename="'.$filename.'"'); + header('Content-Length: ' . dol_filesize($fullpath_original_file)); + // Ajout directives pour resoudre bug IE + header('Cache-Control: Public, must-revalidate'); + header('Pragma: public'); + + readfile($fullpath_original_file_osencoded); +} +if (is_object($db)) $db->close(); +// END PHP ?>